{
  "sources": {
    "cluster_logging_config/test-source": {
      "type": "file",
      "include": [
        "/var/log/kube-audit/audit.log"
      ]
    }
  },
  "transforms": {
    "transform/destination/test-splunk-dest/00_splunk_datetime": {
      "drop_on_abort": false,
      "inputs": [
        "transform/source/test-source/01_local_timezone"
      ],
      "source": "if exists(.\"timestamp\") {\n  .\"datetime\" = .\"timestamp\"\n}",
      "type": "remap"
    },
    "transform/source/test-source/00_clean_up": {
      "drop_on_abort": false,
      "inputs": [
        "cluster_logging_config/test-source"
      ],
      "source": "if exists(.pod_labels.\"controller-revision-hash\") {\n    del(.pod_labels.\"controller-revision-hash\")\n}\nif exists(.pod_labels.\"pod-template-hash\") {\n    del(.pod_labels.\"pod-template-hash\")\n}\nif exists(.kubernetes) {\n    del(.kubernetes)\n}\nif exists(.file) {\n    del(.file)\n}\nif exists(.node_labels.\"node.deckhouse.io/group\") {\n\t.node_group = (.node_labels.\"node.deckhouse.io/group\")\n}\ndel(.node_labels)",
      "type": "remap"
    },
    "transform/source/test-source/01_local_timezone": {
      "drop_on_abort": false,
      "inputs": [
        "transform/source/test-source/00_clean_up"
      ],
      "source": "if exists(.\"timestamp\") {\n    ts = parse_timestamp!(.\"timestamp\", format: \"%+\")\n    .\"timestamp\" = format_timestamp!(ts, format: \"%+\", timezone: \"local\")\n}\n\nif exists(.\"timestamp_end\") {\n    ts = parse_timestamp!(.\"timestamp_end\", format: \"%+\")\n    .\"timestamp_end\" = format_timestamp!(ts, format: \"%+\", timezone: \"local\")\n}",
      "type": "remap"
    }
  },
  "sinks": {
    "destination/cluster/test-splunk-dest": {
      "type": "splunk_hec_logs",
      "inputs": [
        "transform/destination/test-splunk-dest/00_splunk_datetime"
      ],
      "healthcheck": {
        "enabled": false
      },
      "encoding": {
        "only_fields": [
          "message"
        ],
        "codec": "text",
        "timestamp_format": "rfc3339"
      },
      "compression": "gzip",
      "default_token": "test-token",
      "endpoint": "192.168.1.1:9200",
      "index": "{{ test }}",
      "indexed_fields": [
        "datetime",
        "namespace",
        "container",
        "image",
        "pod",
        "node",
        "pod_ip",
        "stream",
        "pod_owner",
        "host",
        "app"
      ],
      "tls": {
        "verify_hostname": false,
        "verify_certificate": false
      }
    }
  }
}
